Washington’s My Health My Data Act Just Signed into Law: It May Have a Surprising Impact on Your Privacy Program
Introduction
On April 27, 2023, Washington Governor Jay Inslee signed into law Engrossed Substitute House Bill 1155 (“My Health My Data Act” or “Act”). The Act is designed to protect not only Washington state residents’ health data, but also health data of non-residents of Washington that is processed in any manner in the state of Washington and does not fall under the protected health information definition under the federal Health Information Portability and Accountability Act (“HIPAA”) or other specified, exempted categories of information.
Because the Act is so sweeping in nature, it will impose onerous compliance obligations on a wide array of entities that: (1) either conduct business in the state of Washington or produce or provide products or services targeted to consumers in Washington; and (2) along or jointly with others, decide the purposes and means of collecting, processing, sharing or selling consumer health data. The Act will also impose compliance obligations on processors, affiliates, contractors, and other third parties.
The Act has a very broad definition of consumer health data, and will impose legal obligations relating to the collection, processing, sharing, or selling of personal information linked or reasonably linkable to a consumer’s past, present, or future physical or mental health status. The Act provides a non-exhaustive list of consumer health data that includes not only personal information about medical conditions, treatments, diseases, diagnoses, health-related surgeries, bodily functions, and reproductive or sexual health information, which is very broadly defined, but also personal information that many people might not intuitively view as health information. This includes personal information such as biometric data, which is very broadly defined, genetic information, which also is broadly defined, and precise location information that could reasonably indicate an individual’s attempt to acquire not only health services, but also “supplies.” The breadth of this definition is likely to surprise many regulated entities, as well as the affiliates, processors, contractors, and other third parties with which regulated entities share consumer health data.
Because there are no entity-level exemptions in the Act, the Act will apply not only to entities falling outside of the scope of federal privacy laws, such as HIPAA and GLBA, but also to entities that fall within the scope of such laws to the extent that they collect, process, share, or sell types of personal information not covered by relevant personal information definitions (e.g., HIPAA’s definition of “protected health information;” GLBA’s definition of “nonpublic personal information”).
Because of the broad scope of law and the potential penalties associated with the Act, it is important to assess the applicability of the Act and the potential impact the Act could have on your organization’s privacy obligations. We have written this blog post to provide a high-level overview of the Act’s scope and to highlight key provisions of the Act. We have prepared a more detailed client alert, which we can provide upon request.
When Will the Act Come into Effect?
In the Act, there is one obligation that has no stated effective date – the geofencing prohibition. Under Washington law, this obligation could be deemed effective as soon as three months after April 23, 2023, the end of the last legislative session. Other provisions likely have an effective date of March 31, 2024, for most “Regulated Entities” (as defined below); and an effective date of June 30, 2024, for “Regulated Entities” that constitute “Small Businesses”(as defined below).
What Data is the Act Designed to Protect?
The Act is designed to provide strong privacy protections for consumer health data outside of the HIPAA context. A “Consumer” is defined as: (1) a natural person who is a Washington resident; or (2) a natural person (regardless of the person’s residence) whose consumer health data is collected in Washington. The term “Collect” is broadly defined under the Act as “to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.” The definition of Consumer does not include individuals acting in any contexts other than an individual or household context.
The Act is designed to protect a broad range of personal information, including not only data related to physical and mental health, but also fitness, nutrition, and wellness data, as well as information derived or extrapolated from nonhealth information that is used to associate or identify a Consumer with the Act’s enumerated types of health data. “Consumer Health Data” is defined by the Act as personal information that is linked or reasonably linkable to a Consumer that identifies the Consumer’s past, present, or future physical or mental health status. The Act provides a non-exhaustive list of types of information that would fall under the category of physical or mental health status, including social and behavioral interventions; bodily functions, vital signs, symptoms, or measurements of information relating to Consumer Health Data; diagnostic testing; reproductive or sexual health information (including reproductive or sexual health information that is inferred from nonhealth information); biometric data; genetic data; precise location information that could reasonably indicate a Consumer’s attempt to acquire or receive health care services or supplies; and any information processed to associate a Consumer with Consumer Health Data that is derived or extrapolated from nonhealth information.
The Act sets forth a limited number of data-level exemptions for specified types of information, including but not limited to an exemption for personal information meeting the definition of protected health information under HIPAA, as well as “[i]nformation originating from, and intermingled to be indistinguishable with, such specified types of information that is maintained by a HIPAA covered entity or business associate.” The Act also exempts personal information subject to specified other federal and state regulations and rules (e.g., GLBA, FCRA, FERPA, Washington’s privacy rules adopted by the insurance commissioner).
What Types of Entities will have Compliance Obligations under the Act?
The Act primarily applies to regulated entities, including small businesses. A “Regulated Entity” is defined as any legal entity that: (1) conducts business in Washington or produces or provides products or services targeted to Consumers in Washington; and (2) alone, or jointly with others, determines the purpose and means of Collecting, processing, sharing, or selling of Consumer Health Data. “Small Businesses” are Regulated Entities that (1) Collect, process, sell, or share Consumer Health Data of fewer than 100,000 Consumers during a calendar year; or (2) derive less than 50 percent of gross revenue from the Collection, processing, selling, or sharing of Consumer Health Data, and controls, processes, sells, or shares Consumer Health Data of fewer than 25,000 Consumers. There are no size or revenue thresholds triggering applicability of the Act, but as noted, Small Businesses will have a longer period of time to prepare to meet their obligations.
The Act does not provide for any entity-level exemptions. But the Act does set forth limited data-level exemptions (e.g., protected health information as defined by HIPAA, information subject to GLBA).
Significantly, the Act imposes direct obligations and restrictions on processors of Consumer Health Data. “Processors” are persons or entities that process Consumer Health Data on behalf of a Regulated Entity. For example, Processors are prohibited from processing Consumer Health Data unless such processing takes place in accordance with a binding contract with a Regulated Entity. If a Processor fails to comply with a Regulated Entity’s instructions or processes Consumer Health Data outside of the scope of its agreement with a Regulated Entity, the Processer will itself be deemed a Regulated Entity (or Small Business).
What Do Affected Organizations Need to Do to Comply with the Act?
The Act sets forth obligations and restrictions for Regulated Entities, including Small Businesses. Key obligations and restrictions imposed by the Act on all Regulated Entities, including Small Businesses, include the following:
- Publish a Consumer Health Data Privacy Policy. Regulated Entities must provide a link on the homepage(s) of their website(s) to their “Consumer Health Data Privacy Policy.”
- Either Refrain from Selling Consumer Health Data or Implement Onerous Processes to Manage Authorizations. Regulated Entities that sell any Consumer Health Data must also obtain valid, signed authorizations from Consumers before selling such data.The term “Sale” is broadly defined as “the exchange of Consumer Health Data for monetary or other valuable consideration.” This broad definition is likely to sweep in a wide range of data transfers, including transfers for purposes of third-party targeted advertising. It will be very difficult for Regulated Entities to comply with the Act’s requirements for valid authorizations (e.g., content, renewal, and retention obligations).
- Obtain Valid Consent for the Collecting or Sharing of Consumer Health Data. Regulated Entities must obtain valid consent before Collecting or sharing any Consumer Health Data unless the Collection or sharing of Consumer Health Data is necessary to provide a product or service the Consumer has requested, or the use is a permitted use under the Act. “Sharing” means releasing, disclosing, disseminating, divulging, making available, providing access to, licensing, or otherwise communicating Consumer Health Data.
- Provide Notice and Obtain Consent and/or Valid New Authorizations Prior to Implementing New Consumer Health Data Practices. Regulated Entities will not be permitted to Collect, use, or Share additional categories of Consumer Health Data not disclosed in the Consumer Health Data privacy policy or to Collect, use, or Share Consumer Health Data for additional purposes not disclosed in the Consumer Health Data privacy policy without first: (1) disclosing all statutorily required information about the new Collections, uses and/or Sharing of Consumer Health Data; and (2) obtaining the Consumer’s consent to: (a) all new Collections and uses of such Consumer Health Data; and (b) all new Sharing of Consumer Health Data. Additionally, Regulated Entities will need to obtain signed, valid authorizations prior to any implementing new Sales practices.
- Implement Proper Access Controls and Other Security Safeguards. Regulated Entities will need to implement the Act’s access control obligations surrounding Consumer Health Data. Regulated Entities also will need to “establish, implement, and maintain administrative, technical, and physical data security practices that . . . protect the confidentiality, integrity, and accessibility of [C]onsumer [H]ealth [D]ata appropriate to the volume and nature of the [C]onsumer [H]ealth [D]ata at issue.”
- Meet Obligations with Respect to Consumer Rights Requests. The Act provides Consumers with the right to: (1) confirm whether a Regulated Entity is Collecting, Sharing, or Selling Consumer Health Data concerning the Consumer and to access such data; (2) withdraw consent from the Collection or Sharing of their Consumer Health Data; and (3) have Consumer Health Data concerning the Consumer deleted (from all systems, including archive and backup systems). Regulated Entities will need to implement secure, reliable processes for receiving, authenticating, and timely responding to Consumer requests to exercise the rights provided under the Act (generally within 45 days of receiving the request) in accordance with all of the specific Consumer rights-related obligations set forth in the Act. Affiliates, Processors, and other third parties also will need to comply with Consumer rights obligations applicable to them under the Act.
- Enter into Requisite Data Processing Agreements with Processors Containing Statutorily Required Terms. Before disclosing Consumer Health Data to Processors,Regulated Entities will need to enter into contracts with Processors of Consumer Health Data containing all required terms. Because of the risk that Processors processing Consumer Health Data outside of the context of a data processing agreement with the requisite terms will be deemed Regulated Entities under the Act, it will be important for Processors to ensure appropriate agreements are in place as well.
- Refrain from Prohibited Geofencing Practices. Regulated Entities also will need to refrain from any prohibited geofencing practices. The Act prohibits implementing a geofencearound an entity that provides in-person health care services where the geofence is used to: (1) identify or track Consumers seeking health care services; (2) Collect Consumer Health Data from Consumers; or (3) send notifications, messages, or advertisements to Consumers related to their Consumer Health Data or health care services. In light of the Act’s broad definitions of Consumer Health Data and “Health Care Services,” this Geofencing prohibition is likely to affect a broad array of business activities, including but not limited to marketing activities.
Potential Consequences of Non-Compliance
The potential consequences of non-compliance with the Act are significant. Violations may result not only in regulatory actions by the Washington Attorney General, but also in individual and class action litigation. If a Regulated Entity violates the Act, non-compliance will be automatically deemed an “unfair or deceptive act in trade or commerce” and an “unfair method of competition” for the purpose of applying the Washington Consumer Protection Act.
Conclusion
The My Health My Data Act will impose very onerous restrictions and compliance obligations on a wide array of businesses. It will pose compliance challenges for Regulated Entities processing covered health data that are not HIPAA covered entities or business associates (or otherwise processing personal information exempted from the Act) (e.g., menstruation cycle tracking applications, fitness tracking applications, and mental health applications). It will pose compliance challenges for HIPAA covered entities and business associates processing any categories of Consumer Health Data that do not fall under data exemptions set forth in the Act. And it will pose compliance challenges for any affiliates, Processors, or third parties of Regulated Entities receiving Consumer Health Data. In light of the highly burdensome compliance obligations that will be imposed by the Act in less than one year, organizations subject to the Act would be wise to not wait to begin analyzing their current ability to comply with the Act and developing a compliance game plan.
Our firm also has prepared a comprehensive client alert that outlines in more detail the broad-reaching impact the Act may have on your business. If you are interested in this alert, please let us know and we can send you a copy.
Authors